From: Roberto Sassu <roberto.sassu@xxxxxxxxxx>
Commit ac4e97abce9b8 ("scatterlist: sg_set_buf() argument must be in linear
mapping") checks that both the signature and the digest reside in the
linear mapping area.
However, more recently commit ba14a194a434c ("fork: Add generic vmalloced
stack support"), made it possible to move the stack in the vmalloc area,
which is not contiguous, and thus not suitable for sg_set_buf() which needs
adjacent pages.
Check if the signature and digest passed to public_key_verify_signature()
are in the linear mapping area and, for those which are not, make a copy in
the linear mapping area with kmalloc() and adjust the pointer passed to
sg_set_buf(). Reuse the existing kmalloc() and increase the allocation size
as needed.
Minimize the number of copies with the compile-time check of
CONFIG_VMAP_STACK and with the run-time check virt_addr_valid().
Cc: stable@xxxxxxxxxxxxxxx # 4.9.x
Fixes: ba14a194a434 ("fork: Add generic vmalloced stack support")
Link: https://lore.kernel.org/linux-integrity/Y4pIpxbjBdajymBJ@sol.localdomain/
Suggested-by: Eric Biggers <ebiggers@xxxxxxxxxx>
Signed-off-by: Roberto Sassu <roberto.sassu@xxxxxxxxxx>
---
crypto/asymmetric_keys/public_key.c | 39 +++++++++++++++++++++++++----
1 file changed, 34 insertions(+), 5 deletions(-)
diff --git a/crypto/asymmetric_keys/public_key.c b/crypto/asymmetric_keys/public_key.c
index 2f8352e88860..307799ffbc3e 100644
--- a/crypto/asymmetric_keys/public_key.c
+++ b/crypto/asymmetric_keys/public_key.c
@@ -363,7 +363,8 @@ int public_key_verify_signature(const struct public_key *pkey,
struct scatterlist src_sg[2];
char alg_name[CRYPTO_MAX_ALG_NAME];
char *key, *ptr;
- int ret;
+ char *sig_s, *digest;
+ int ret, verif_bundle_len;
pr_devel("==>%s()\n", __func__);
@@ -400,8 +401,21 @@ int public_key_verify_signature(const struct public_key *pkey,
if (!req)
goto error_free_tfm;
- key = kmalloc(pkey->keylen + sizeof(u32) * 2 + pkey->paramlen,
- GFP_KERNEL);
+ verif_bundle_len = pkey->keylen + sizeof(u32) * 2 + pkey->paramlen;
+
+ sig_s = sig->s;
+ digest = sig->digest;
+
+ if (IS_ENABLED(CONFIG_VMAP_STACK)) {
+ if (!virt_addr_valid(sig_s))
+ verif_bundle_len += sig->s_size;
+
+ if (!virt_addr_valid(digest))
+ verif_bundle_len += sig->digest_size;
+ }
+
+ /* key points to a buffer which could contain the sig and digest too. */
+ key = kmalloc(verif_bundle_len, GFP_KERNEL);
if (!key)
goto error_free_req;
@@ -424,9 +438,24 @@ int public_key_verify_signature(const struct public_key *pkey,
goto error_free_key;
}
+ if (IS_ENABLED(CONFIG_VMAP_STACK)) {
+ ptr += pkey->paramlen;
+
+ if (!virt_addr_valid(sig_s)) {
+ sig_s = ptr;
+ memcpy(sig_s, sig->s, sig->s_size);
+ ptr += sig->s_size;
+ }
+
+ if (!virt_addr_valid(digest)) {
+ digest = ptr;
+ memcpy(digest, sig->digest, sig->digest_size);
+ }
+ }
+
sg_init_table(src_sg, 2);
- sg_set_buf(&src_sg[0], sig->s, sig->s_size);
- sg_set_buf(&src_sg[1], sig->digest, sig->digest_size);
+ sg_set_buf(&src_sg[0], sig_s, sig->s_size);
+ sg_set_buf(&src_sg[1], digest, sig->digest_size);
akcipher_request_set_crypt(req, src_sg, NULL, sig->s_size,
sig->digest_size);
crypto_init_wait(&cwait);
--
2.25.1
